Posted
by
timothy
on Thursday January 17, 2013 @09:25AM
from the handicapper-general dept.

mask.of.sanity writes "The Department of Homeland Security has taken charge of pushing medical device manufacturers to fix vulnerable medical software and devices after researchers popped yet another piece of hospital hardware. It comes after the agency pushed Philips to move to fix critical vulnerabilities found in its popular medical management platform that is used in a host of services including assisting surgeries and generating patient reports. To date, no agency has taken point on forcing the medical manufacturers to improve the information security profile of their products, with the FDA even dubbing such a risk unrealistic (PDF)."

What exactly do you think this means? Did you actually read any of the reports? The DHS joined almost all other federal agencies in making it policy not to fuck over the health or environment of low-income populations as part of their operations.
E.g. if the coast guard wants to test the effects of a new chemical dispersant for oil spills, this policy directs them to do it somewhere other than a lower-income fishing village in Louisiana.
Or if the nuclear regulatory commission wants to build a site to dis

That might be the case, but that has nothing to do with what you posted.
What you posted is actually the opposite of what you're implying - which is that the DHS is some cutthroat super-agency that disregards its narrowly defined mandates. This is an example of the DHS having to comply with the same mundane protocols that every other government agency does.

Has slashdot become so partisan that a guy posting a link gets modded to 0 or worse now? He's absolutely on topic with this as whether you agree or disagree with the POLICY, DHS should have zero roll in it.

It was assigned to the wrong DHS... this should fall under the Department of Health and Human Services (HHS [hhs.gov]). Someone needs to tell a director that Homeland Security is stealing a project that should be theirs (i.e. taking their power).

What does HHS or FDA know about computer security? Nothing. It is a technical niche. Trying to independently stand up a computer security audit group within every niche of government just because they all use computers is crazy.

As for DHS covering too many things.... DHS isn't really anything in itself. It's just an umbrella created after 911 to try and make connections between what where (and still are for the most part) essentially independent organizations that suffer from too much redundancy and tribalism. (Which is not to say the DHS is necessarily doing a good job of solving these problems).

As it's inevitable that more and more health-care products will contain electronics of sorts, shouldn't HHS or FDA acquire some expertise in this field? If it were a "one off" situation, yeah, I'd agree with you.

You are sort of feeding the trolls here, because the GPs original premise that FDA or HHS knows nothing about computer security is simply bogus flamebait.

I agree that those two agencies should improve their expertise rather than allowing a bunch of external security freaks stepping in between the Doctors and their tools. The expertise should be in-house, and tailored to the other systems used in hospitals. Handing this task to an outside umbrella agency is like having every mom calling the sheriff to enforc

This is where technical considerations and political considerations collide. The NSA has high-end capabilities, but is a spy agency that has always been explicitly prohibited from targeting the US. Just as we created the FBI to police ourselves vs. the CIA to police the world. Here is an article [wired.com] on the subject. Personally I do not think we should turn the NSA loose on ourselves. But admittedly in the case of computer security it can be extremely difficult to even determine whether a threat is foreign o

Let me rephrase... I thought that the NSA, in addition to whatever domestic or foreign intelligence gathering functions it may or may not have, was the government's go-to agency for providing guidelines, tools, and equipment for securing computers and data communications facilities. ie, if you want to secure a facility, follow NSA guideline X.

I disagree that "software is software." Everything changes in adversarial situations, where you are combatting adaptive, intelligent adversaries. The regulatory regime that is good for safeguarding against flaws in medical devices such as Therac-25 is not appropriate for the day-to-day operations of staying on top of computer security threats.

What does HHS or FDA know about computer security? Nothing. It is a technical niche.

What does the DHS know about computer security? Even less.

You don't have to know these things, you hire them in. Now, the issue of whether our government will do that based on merit or more likely not is a good point to raise, but it's a separate problem from not having the experience in-house already.

What does HHS or FDA know about computer security? Nothing. It is a technical niche.

What does the DHS know about computer security? Even less.

You don't have to know these things, you hire them in. Now, the issue of whether our government will do that based on merit or more likely not is a good point to raise, but it's a separate problem from not having the experience in-house already.

How can you hire, and manage, security experts if you don't know something about security yourself? What's a "security expert"? I know a guy who was a prosecutor for a while, then went looking for jobs as a corporate security consultant. Do you just hire an ex-cop? An ex-FBI agent? An ex-hacker? Do you take it on faith that they know what they're doing?

Years ago, government agencies developed in-house computer expertise, and they did a pretty good job. The VA hospitals developed VISTA, which is a better med

One of the big jobs of the FDA is to screen through millions of accident reports to find the few that are actually relevant to safety.

I've reviewed FDA accident reports. Out of 200 reports on medical lasers, I might find 100 about the hinge on a door to the cabinet being broken, or "malfunctions" of that nature. There might be one report about a serious incident, in which a patient was injured because a cotton swab caught fire or something.

DHS does a notoriously bad job of screening through millions of potential threats and figuring out which are the real threats. They're like a smoke alarm that continually gives false alarms until people ignore it.

What does your comment have to do with the conversation at hand?This isn't a false alarm, there is no need to "balance the risks and costs against the benefits."The DHS is being handed weaponized computer exploits and ideally they're going to turn around and say "You. Manufacturer. Fix it."

CERT (Computer Emergency Readiness Team) is under DHS, and I don't thing anyone could reasonably argue that reports of computer exploits should go to the FDA or the Dept of Health and Human Services, just because they're

DHS does a notoriously bad job of screening through millions of potential threats and figuring out which are the real threats. They're like a smoke alarm that continually gives false alarms until people ignore it.

What does your comment have to do with the conversation at hand?This isn't a false alarm, there is no need to "balance the risks and costs against the benefits."The DHS is being handed weaponized computer exploits and ideally they're going to turn around and say "You. Manufacturer. Fix it."

The DHS is being handed theoretical attacks which have never been used in the real world. The problem is to figure out whether these are realistic problems, and what the priority is for dealing with them.

It may be possible that somebody could hack into an insulin pump. Nobody has ever done so. It's hard to imagine why somebody would want to. Nobody could make any money doing it. Nobody could accomplish a political goal by doing so. It's not like a bank where somebody could transfer money. So it is a false a

Personally, I think this is a good thing. Now to just neuter them, and we'll be set.

My current job (IT admin in the financial sector) involves a fair bit of security work. A natural understanding of security is stunningly absent, even in places where security should be one of the highest concerns. Someone building an accounting program won't think about encrypting their data, because they're trained in accounting, not security. Someone programming a radiation therapy machine [wikipedia.org] won't think about hardware interlocks, because they're trained in programming software, not hardware safety.

Network-connected medical devices are becoming prevalent, and I expect they will only get more useful and necessary in time. They present opportunities for doctors, and hospital managers are trained in hospital management, not security.

I like seeing someone bringing a security-conscious mindset to the public. The DHS certainly wouldn't be my first choice, but they're better than not having anybody. Now if only we could get Bruce Schneier as Secretary...

It seems the DHS keeps expanding its mandate into ever broader areas.
And, quite frankly, that's a little creepy -- it's becoming this vast umbrella which has control over everything.

Well, yeah.

That is sort of the point of the thing.

The reason we have a consolidated Department of Defense (created ca. 1947-1949) is because of the absurd and damaging inter-service rivalries that became very visible in World War II.

The United States Department of Homeland Security (DHS) is a cabinet department of the United States federal government, created in response to the September 11 attacks, and with the primary responsibilities of protecting the United States of America and U.S. territories...from.. terrorist attacks, man-made accidents, and natural disasters.DHS is the equivalent to the Interior ministries of other countries. An interior ministry (sometimes ministry of home affairs) is a government ministry typically responsible for policing, national security, and immigration matters.

they were down here for the NFL playoffs with other agencies to bust people for fraudulent NFL gear, I kid you not.

That isn't quite as insane as it sounds. My guess is that most of the unlicensed merchandise is imported, and customs falls under DHS. Of course, you're free to feel that they shouldn't be spending the resources on unlicensed merchandise, but if anyone is going to enforce it, it would be DHS.

Sure, people in hospitals need information, but surely something which is assisting in the physical process of a surgery (etc.) doesn't need to be in the cloud, does it?

As someone who works for a company that writes medical systems software, I can tell you that at the very least the systems need network connectivity so that the different systems can consolidate data in one place for examination. The problem is that any network connected device is potentially vulnerable to random Joe plugging a laptop into the network and hacking away.

To illustrate why that's bad, I've run into situations in which a client site (read: Hospital) outright prohibited using SSL/TLS on their servers. They deemed their internal network secure and refused to budge on allowing secure communications between the clients and the servers. Authentication information should always be encrypted and some administrators just don't get that.

As a whole, I think the medical technology industry needs someone to force tighter security requirements on software developers and medical sites as a whole. This is a good thing in my opinion. If that appropriate someone is the DHS may require a different discussion, but some government body needs to start pushing information security in the medical industry.

Sure, people in hospitals need information, but surely something which is assisting in the physical process of a surgery (etc.) doesn't need to be in the cloud, does it?

As someone who works for a company that writes medical systems software, I can tell you that at the very least the systems need network connectivity so that the different systems can consolidate data in one place for examination. The problem is that any network connected device is potentially vulnerable to random Joe plugging a laptop into the network and hacking away.

That's interesting. My uncle had a pacemaker in the 70s and I'm pretty sure it didn't have any network capabilities.

To illustrate why that's bad, I've run into situations in which a client site (read: Hospital) outright prohibited using SSL/TLS on their servers. They deemed their internal network secure and refused to budge on allowing secure communications between the clients and the servers. Authentication information should always be encrypted and some administrators just don't get that.

As a whole, I think the medical technology industry needs someone to force tighter security requirements on software developers and medical sites as a whole. This is a good thing in my opinion. If that appropriate someone is the DHS may require a different discussion, but some government body needs to start pushing information security in the medical industry.

To illustrate why that's bad, I've run into situations in which a client site (read: Hospital) outright prohibited using SSL/TLS on their servers. They deemed their internal network secure and refused to budge on allowing secure communications between the clients and the servers. Authentication information should always be encrypted and some administrators just don't get that.

I hope you walked away from that client, or ignored their prohibition.

Similarly to Tha_Big_Guy23, elsewhere in this thread, I worked (past tense) for a health care company - Siemens - on a blood analysis unit that had Internet connectivity for support reasons. These units run 24/7 and any downtime is huge. In many cases, the volume of diagnostic information would take too long to send over a dial-up connection, if it was even available. Software updates were supposed to be "push capable." Also, the software provided VNC - desktop sharing - so one operator could keep track

Not that I support having my hospital equipment on the Interwebs, but there are instances, such as remote robotic-assistance surgery, where it's either that or lay your own cable. Any respectable hospital will use a VPN, yada, etc, but it still requires an internet connection.

This issue will only become thornier unless clear-cut best management practices are established with respect to what gets on the Internet and what doesn't. Robo-surgery? Well, ok but it needs to be securing using A, B and C. My IV drip

manufacturers need to let os updates and AV software to be install on there systems if they want / need to be on the hospital network.

Because running untested software is a bad idea. Heath care systems and medical device software should get the benefits of updates and patches, but only after those updates have been tested for those specific systems and software. Whatever the vendor does prior to release is insufficient.

When entire hospital processes come to a halt because the latest AV update mistakenly identifies a core OS file as a trojan, you'll come back and say, why are manufactures letting updates to be installed on their systems?

As with many things, the best path is in the middle. Critical systems should be updated as preventative maintenance, but administrators cannot rely on vendor testing alone.

manufacturers need to let os updates and AV software to be install on there systems if they want / need to be on the hospital network.

Because running untested software is a bad idea. Heath care systems and medical device software should get the benefits of updates and patches, but only after those updates have been tested for those specific systems and software. Whatever the vendor does prior to release is insufficient.

When entire hospital processes come to a halt because the latest AV update mistakenly identifies a core OS file as a trojan, you'll come back and say, why are manufactures letting updates to be installed on their systems?

As with many things, the best path is in the middle. Critical systems should be updated as preventative maintenance, but administrators cannot rely on vendor testing alone.

Why update the software? Pacemakers and insulin pumps were available long before you could wirelessly update them. If it is such a threat, then don't enable wireless updates. Plain and simple. My God, how did we exist before computers did everything for us!?

Why update the software? Pacemakers and insulin pumps were available long before you could wirelessly update them. If it is such a threat, then don't enable wireless updates. Plain and simple. My God, how did we exist before computers did everything for us!?

This discussion isn't about having computers do anything for us. It's about how we use computers as tools to do things. How did we have conversations before computers? Well, we did, and yet here you are using a network of computers to have a conversation.

As for the ability to update the software in a medical device, it's about trade-offs and compromises. ObCarAnalogy: computers in cars have made maintenance more complicated, so why not take the computers out of cars? Sure, if you also want to remove th

You misunderstand my post. I am not saying that we shouldn't have these devices, but if the risk from the software, or somebody hacking the software is so great that homeland security has to take it over, then maybe the very benefits and tradeoffs you mention should be looked at again.

As for the car analogy, computers CAN make cars more fuel efficient, but in reality, they have a smaller impact on fuel efficiency than people think and are really used to keep pollution down and to keep from making the tough

before turning all of this over to Homeland Security, I'd like to know how many pacemakers and insulin pumps have been hacked versus how many are out there? Is this a true threat or just bad movie plot from the ScyFy Channel that has taken hold in DHS?

That's one of the questions that the FDA answers a lot better than the DHS. The FDA has procedures to decide whether something is really a problem, so they can prioritize their efforts on the real threats. You could search the FDA's public device adverse events reporting database to see if any hacked pacemakers or insulin pumps have been reported.

You misunderstand my post. I am not saying that we shouldn't have these devices, but if the risk from the software, or somebody hacking the software is so great that homeland security has to take it over, then maybe the very benefits and tradeoffs you mention should be looked at again.

two different databases: Oracle on Solaris; not sure what it runs on Win 2000

dozens of mechanical controllers, sensors, pumps and actuators

etc

You can bet that on a product of this complexity, there will be updates.

There is no doubt that medical devices use all sort of operating systems and have all sorts of capabilities, but what they are talking about in the article is communications between patient devices like pacemakers, insulin pumps, etc. That is different than the equipment you show, or an MRI, CT scan, etc. Those, are true computer driven systems. The ones DHS are taking over are the kind that are embedded or worn on your body.

As with many things, the best path is in the middle. Critical systems should be updated as preventative maintenance, but administrators cannot rely on vendor testing alone.

Critical systems should also not be connected to the internet.

Or, to be more precise, should not be connected to the internet with unlimited IP address access in either direction. You can obtain (or at least you can if you're dealing with an important-enough Fed agency) nice little boxes that not only encrypt the crap out of your traffic but are set up only to send to specified addresses and only to receive from specified addresses. Aside from deliberate sabotage, this is a safe way to connect to a manufacturer's update-providing hub.

Or they could take the money assigned to DHS for medical device security and instead design a universal open-source electronic medical records system where security is maintained constant peer review and no one company has a monopoly on EMR's system.

First of all, no one does have a monopoly on EHR systems. There are a couple of large players and a host of smaller ones. I would maintain that you Do. Not. Want. a monoculture here - or anywhere. Security is not 'maintained' by constant 'peer review' (that word doesn't mean what you think it means). Security is a process and open source software is only a small (and not necessary) aspect of that.

There is an open source, Enterprise grade EHR system - VistA from the VA (Veterans Affairs) Department. It

OS is a no-go here mostly due to liability concerns and approval process. Medical Devices cost so much not because they are complicated technology (some of them are) but because when they explode, maim someone and give your uncle cancer there is a manufacturer and insurance to go after. You can design OS that is 100 times better than industry standard and it still won't be used because of the above.

Does this mean that DHS has access to source code and 0-day vulnerabilities for network attached medical equipment?Could this knowledge be user offensively, in a situation where say Kim Jong Un is in hospital for a heart operation, andDHS remotely pulls the plug on the life support machine?

Can this power be later extended to medical devices implanted in people, like defibrillators, insulin pumps etc.

Sorry to sound like Richard Stallman here for a second, but I would be very apprehensive having a device impl

Yeah, there is nothing wrong with that. DHS, the government agency that believes it is alright to do anything in the name of protecting the population, now has control over the pacemakers and insulin pumps of anybody they suspect might threaten the nation or their own power structure. Nothing will go wrong with that.

All DHS hate aside, this is much needed change. We have FIPS and it made our crypto much stronger. We have other standards and procurement requirements (CC, PCI, etc) that made inroads on making sure vendors at least consider security. It is about time the same applied to medical devices.

Why DHS, NIAP or NIST would be more appropriate agency to handle this.

The first issue that should be addressed is does anyone believe that 100% total bulletproof security is even possible today? Come on, do you think it is possible to have large, interlocking systems of computers communicating over a network with 100% security?

I think anyone reasonable will say "Heck no you can't!" There might be a few dreamers that think it is possible, but the amount of effort that would be required is beyond any reasonable standard. So sure, it might be possible to force all medical dev

DHS didn't step in as some grand plan. They were asked to intervene by Cylance, a security research company, when Philips wouldn't respond about the detected security holes.

Seriously, how many people could a terrorist kill if they took control of Philips systems?

Just because there is a theoretical security flaw that might be exploitable under some totally contrived test scenario is NOT a valid reason to involve an agency like DHS.

If the FDA didn't take it seriously, why should we hand the task to a bunch of airport friskers and coastguards men? (Apologies to Coasties everywhere).And why do a couple of self appointed "securities researches" get to sic DHS on anybody?

Terrorists? Killing? You, my good chum, are a typical example of the rampant paranoia and cowardice that has gripped the US. The slightest hint of DHS involvement and it's "ZOMG! KILLER TERRORISTS! PANIC! PANIC! PANIC!"

Still, being able to root a hospital can have serious implications that could indeed lead to deaths.